Business data is typically stored within hierarchical data structures, such as physical tables of a relational database. A user may generate database-language queries to extract desired data from such data structures. However, generation of these queries requires detailed knowledge of the structure and relationships of a data structure as well as familiarity in database programming. Both requirements are beyond the capabilities of the typical business user.
Business Intelligence (BI) tools provide an abstraction layer for shielding end users from the complexity of relational or hierarchical data structures storing business data. An abstraction layer allows end users to query a data structure using entities (i.e., business objects) having intuitive business meanings rather than references to logical entities of the data structure. BI tools may also allow a user to create a report populated with data retrieved from the data structure using such queries.
It is desirable to provide different users with different levels of access to stored business data. Some existing BI tools, such as BusinessObjects XI 3.0, allow an administrator to restrict a user's access to rows, tables, etc. of an underlying hierarchical data structure. Moreover, BusinessObjects XI 3.0 allows an administrator to restrict a user's access to one or more business objects of an associated abstraction layer. As a result, the user is prevented from creating a query using the business object, from retrieving data corresponding to the business object from the underlying hierarchical data structure, and from viewing data which is associated with the business object in the underlying hierarchical data structure.
Finer control over object-based access restrictions is desired. For example, it may be desirable to independently control each of a user's ability to create a query using a business object, to retrieve data corresponding to the business object from an underlying hierarchical data structure, and to view data which is associated with the business object in the underlying hierarchical data structure. Such control may be used to allow a user to create a report using a business object but also to prevent the user from viewing data which is associated with the business object. Such control may be further used to allow the user to run a query of the report to retrieve the data associated with the business object, even though the user is not allowed to view the data.
Increased flexibility in object-based access control may facilitate beneficial use cases other than and/or in addition to those described above.